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Abstract 

Recently, a novel image encryption scheme based on improved hyperchaotic sequences was proposed. A pseudo- 
random number sequence, generated by a hyper-chaos system, is used to determine two involved encryption functions, 
bitwise exclusive or (XOR) operation and modulo addition. It was reported that the scheme can be broken with some 
pairs of chosen plain-images and the corresponding cipher-images. This paper re-evaluates security of the encryption 
scheme and finds that the encryption scheme can be broken with only one known plain-image. The performance of 
the known-plaintext attack, in terms of success probability and computation load, become even much better when two 
known plain-images are available. In addition, security defects on insensitivity of encryption result with respect to 
changes of secret key and plain-image, are reported also. 
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1. Introduction 

The popularization of image capture devices and fast 
improvement of transmission speed over all kinds of 
networks makes security of image become more and 
more important. However, the traditional text encryp- 
tion techniques can not protect image efficiently due to 
the big difference between image and text. The subtle 
similarities between chaos and cryptography attracts re- 
searchers consider chaos as a novel way to design secure 
and efficient encryption schemes HI El El - Meanwhile, 
some cryptanalysis work demonstrated that some chaos- 
based encryption schemes are insecure against various 
conventional attacks of different extents from the view- 
point of modern cryptology E H \M . Some 
general approaches evaluating security of chaos-based 
encryption schemes were summarized in iTTTTl . 

In fT2l . a novel image encryption scheme based on 
improved hyperchaotic sequences was proposed, where 
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a pseudo-random number sequence (PRNS), generated 
by a four-dimensional hyper-chaos system, is used to 
control modulation addition and bitwise exclusive or 
operation. Shortly after publication of [12], Fatih et 
al. found that equivalent secret key of the encryption 
scheme can be obtained by brute-force when some cho- 
sen plain-images and the corresponding cipher-images 
are available fT3ll . The present paper re-evaluates secu- 
rity of the encryption scheme proposed in [12], and finds 
the following security problems: (1) the scope of equiv- 
alent secret key of the encryption scheme can be nar- 
rowed efficiently by comparing one known plain-image 
and the corresponding cipher-image; (2) the equivalent 
secret key can be easily confirmed when two known 
plain-images and the corresponding cipher-images are 
available; (3) encryption results are not sensitive with 
respect to changes of plain-images/secret key. 

The rest of this paper is organized as follows. The 
next section introduces the image encryption scheme 
under study briefly. Section [3] review the cryptanalysis 
work proposed by Fatih et al and then present an ef- 
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ficient known-plaintext attack on the image encryption 
scheme under study in detail with some experimental 
results. The last section concludes the paper. 

2. The image encryption scheme under study 

The plaintext of the image encryption scheme un- 
der study is a gray scale image. Without loss of gen- 
erality, the plain-image can be represented as a one- 
dimensional 8-bit integer sequence P = {p(j)}\ =l by 
scanning it in the raster order, where L is number of 
pixels of the plain-image, and L is assumed to be a mul- 
tiple of 4. Correspondingly, the cipher-image is denoted 
by C = {c(i)}f =v Then, the proposed image encryption 
scheme can be described as followsEJ 

• The secret key: initial state (x(0), y(0),z(0), w(0)) 
of the hyperchaotic system proposed in lfT4l . 

x = a(y - x) + yz, 
y = cx - y - xz + w, 

- CD 

z = xy - bz, 
w - dw - xz, 

v 

where (a,b,c,d) = (35,8/3,55,1.3). 

• The initialization procedure: 

(1) In double-precision floating-point arithmetic, 
solve Eq. ([I]) with the fourth order Runge-Kutta 
method of fixed step length, h = 0.001, No times 
from the initial condition (x(0),y(0),z(0), w(0)) it- 
eratively, where No > 500. 

(2) Iterate the above quantization process L/4 more 
times and obtain four-dimensional state sequences 
{(x(i),y(i),z(i)Mi))}^ v 

(3) Generate PRNS K = {k(i)}f =1 as follows: for 
1=1,2,..., L/4, set k(4l - 3) = F(x(l)), k(4l - 2) = 
F(y(l)), k(4l - 1) = z(x(l)), and k(4l) = F(w(l)), 
where 

F(x) = (L(|G(jc)| - L|G(jc)|J) x 10 14 j) mod 256, 



l To make the presentation of the whole paper more concise and 
complete, some notations in the original paper 1 12 1 are modified under 
condition that the encryption scheme is not changed. 



G(x) = ixl0 2 -[xx 10 2 ], and |jc|, [x] and |xj 
rounds the absolute value of x, the nearest integers 
of x and the nearest integers less than or equal to x, 
respectively. Note that 

F(x) = (\x x 10 2 -[xx 10 2 ]| x 10 14 ) mod 256 

since L|G(jc)|J) = 0. 

• The encryption procedure includes the following 
two rounds of confusion steps. 

(1) Confusion I: for i = 2 ~ L, do 

t(i) = P (i) e k(i - l) e (t(i - l) + ^(0), (2) 

where 

t(i) = P (i) e k(i) e (c(0) + k(i)), (3) 

c(0) is a predefined integer falling in interval 
[1,255]. 

(2) Confusion II: for i = 2 ~ L, do 

c(i) = t(i) e k(i - 1) e (c(i - 1) + k(i)), (4) 
where 

c(l) = t(l) e £(1) (t(L) + ^(1)). (5) 

- The decryption procedure is similar to the encryp- 
tion procedure except the following points: (1) 
Confusion II is performed first; (2) the operation 
on each elements in the both two diffusion steps is 
carried out in a reverse order; (3) the variables t(i) 
and p(i) in Eq. ^ and the variables c(i) and t(i) in 
Eq. ^ are swapped, respectively. 

3. Cryptanalysis 

3.1. Fatih et al. 's attack 

To make presentation of this paper more complete, 
Fatih et a/.'s attack proposed in fl~3l is reviewed and 
commented in this subsection. 

Substituting Eq. ^ and Eq. ^ into Eq. ^ and 
Eq. Q, respectively, one has 

C (i) = P {\) e k(i) e (c(0) + *(i)) e k(i) e (t(L) + jfc(i» 
= p(\) e (c(0) + *(i)) e (t(L) + *(i)). (6) 
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and 



c (i) = P (i) © k(i - l) e (t(i - l) + k(i)) © k(i - l) 
e(c(i - l) 4- k(i)) 
= P (i) © (t(i - l) + £(/)) e (c(i - l) + 1(0) (7) 

for i = 2 ~ L. The idea of Fatih a/.'s attack is to 
search (/(X), &(1)) and (t(i- 1), &(/)) and verify them with 
Eq. ^ and Eq. ([7]), respectively, where / = 2 ~ L. In 
1 13 ], Fatih a/, choose a plain-image of fixed value 
zero, namely p(i) = 0. Success of Fatih et a/.'s attack 
depends on whether the known values of a and y can 
verify combination J3 and x in 



y = (a + x) © OS + x), 



(8) 



where a,j3,x,y are all 8-bit integers, and (a + x) = 
(a + x) mod 2 8 . Referring to [15], one can see that 
it is very difficult to estimate the required number of 
known/chosen plain-images assuring success of Fatih et 
aUs attack. In addition, computational complexity of 
Fatih et al. 's attack is 0(L • 256 • 256 • 4 • 4) = <9(2 20 L), 
which means the attack complexity is a little high when 
L is very large. 

3.2. Attack with one known plain-image 

In (T21 Sec. 3.4], it was claimed that the im- 
age encryption scheme under study is robust against 
known/chosen-plaintext attack. However, we found the 
encryption scheme can be broken with even only one 
known plain-image. 

Proposition 1. Assume one pair of known plain-image, 
P - {p(i)}f =v and the corresponding cipher-image, C - 
{c(j)}\-\> are available, the unknown sequences {t(i)}\ =x 
and {k(i)}^ are only determined by the values ofk(L - 
1) and k(L). 

Proof: Given the values of k(L - 1) and k(L), one can 
get 

t(L) = c(L) e k(L - 1) e (c(L - 1) + k(L)) (9) 
from Eq. Q. Referring to Eq. ([2]), one further has 

t(L - 1) = (t(L) e p(L) k(L - l))-k(L), (10) 



where a-b = (a - b + 256) mod 256. Then, one can 
obtain 

k(L-2) = c(L-l)®t(L-l)®(c(L-2) + k(L-l)) (11) 
from Eq. Q. Similarly, one can obtain 

(t(i) = (t(i + 1) e p(i + 1) k(i))-k(i + 1) 
]k(i - 1) = c(i) e t(i) e (c(i - 1) + k(i)) 

for i = L - 2 ~ 2, and 

r(l) = (r(2)e/?(2)eifc(l))-ik(2). 

So, the proposition is proved. ■ 

From Proposition [T] one can see that the equivalent 
secret key of the image encryption scheme under study, 
MOl^i an d {k(i)}f =v are only determined by the values 
of k(L - 1) and k(L) when one pair of known-plaintext 
and the corresponding cipher- text are available. As t(L) 
is determined by k(L - 1) and k(L) via Eq. ([9]), and £(1) 
and &(1) are generated by them in the above iteration 
form, two independent equations of form of Eq. ([5]), 
Eq. ([3]), and Eq. ([5|, are available for verification of the 
search in this attack method. Success of this attack de- 
pends on whether wrong version of (k(L - 1), k(L)) can 
generate the corresponding version of (t(l),t(L),k(L)) 
passing verification of Eq. ^ and Eq. ([5]). Assume £(1), 
t(L) and &(1) satisfy uniform distribution, one can get 
the probability of passing verification of Eq. ^ and 
Eq. ^ are both ^ . So, only a small number of k(L- 1) 



and k(L) can pass the verification. As shown in Sec. 3.4 



{&(0}f=i and {k(i) © 128}^ 1 are equivalent for encryp- 
tion/decry ptio of the image encryption scheme under 
study, they are considered as one in this section. Note 
that {c(i)}f =l , {k(i)}^ =1 and L all have influence on the ver- 
ification, the success rate is very hard to be estimated. 
To illustrate this problem, the image "Peppers" of size 
512 x 512, shown in Fig. [2^), is chosen as the known 
plain-image, the number of possible versions of {kii)}^ 
passing the verification under one hundred random se- 
cret keys are shown in Fig.[T] As for 5% of the one hun- 
dred random secret keys, the equivalent secret key can 
be confirmed definitely. As for more than 70% of them, 
the scope size of equivalent secret key is less than 6. 
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When (jc(0),y(0),z(0),w(0)) = (5, 10,5, 10), N = 1000 
and c(0) = 3 (the key used in G2] Sec. 3]), one of the 
possible versions of {k(i)}f =1 passing the verification is 
used to decrypt the cipher-image shown in Fig. [2] and 
the result is shown in Fig.|2jl). It is counted that 60.13% 
of the pixels of the image shown in Fig. [2]i) are cor- 
rect, which shows that even the wrong version may be 
used to recover some information of the cipher-image. 
So, we can conclude that this attack is very effective. 
From Proposition [2j one can see that the most signif- 
icant bit of k(L) need not be searched. So, the com- 
putation complexity of this attack can be estimated as 
0(256 ■ 128 • L • 2 • 3) = <9(2 17 L). 
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Figure 1: The number of possible versions of {k(i)}f =l passing the 
verification under every set of random secret key. 



3.3. Attack with two known plain-images 

When two known plain-images, Pi = {pi(i)}f =1 and 
Pi = {Pi(i)}\ =v and the corresponding cipher-image, 
C\ = {a(0)^p C 2 = {c 2 tt)}\ =v are available, coin- 
cidence of two versions of {k(i)}] =L _ 2 can be used as 
L - 2 independent conditions to verify the search of 
(k(L - l),k(L)) in the above sub-section. So, the suc- 
cess probability of obtaining the equivalent secret key 
can be improved greatly and the attack complexity can 
be reduced much at the same time. 

The detailed approach of the attack can be described 
as follows. 




b) 



d) 



Figure 2: The known-plaintext attack I: a) known plain-image "Pep- 
pers"; b) the cipher-image of "Peppers"; c) the cipher-image of a 
plain-image "Lenna"; d) decryption result of Fig.[2j0. 

• Step 1) Set i = L - 1 and (k(L - l),k(L)) with a 
possible set of values and get 

t\(L) = d(L) e k(L - 1) e (ci(L - 1) + k(L)) 

and 

t 2 (L) = c 2 (L) k(L - 1) e (c 2 (L - 1) + k(L)). 

• Step 2) Set i = i - 1. If i > 1 and 

ci(0 e htt) (ci(i - 1) + k(i)) = c 2 (i) © htt) 

®(c 2 (i-l) + k(i)), (13) 

repeat Step 2); otherwise go to Step 1 ), where 

\htt) = (htt + 1) e pi(i + 1) e k(i))-k(i + 1), 

\t 2 (i) = (t 2 (i + 1) p 2 (i + 1) k(i))-k(i + 1). 

(14) 

• Step 3) If i= 1, 

d(l) = *i(l) e *i(l) e (h(L) + *i(l)) (15) 

or 

C2 (i) = f 2 (i) e fe(i) © feOO + fe(i)), (16) 

output the value of (k(L - 1), &(L)); otherwise go to 
Stepl). 
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Now, let's analyze performance of the above attack. 
Observe Eq. ( [T3] ), one has 

t 

Prob(t) = Y[ Prob{i), 

i=L-2 

where Probii) denotes the probability condition ( [T3] ) is 
satisfied, and t e {L - 2, L - 3, ••-,!}. Obviously, 



Eq. (13) can be considered a function of the form of 
Eq. ([8|. Given variable a,/3,x,y of uniform distri- 
bution, the probability Eq. ^ holds is 1/256. As- 
sume {t(i)}f =v [c(i)}f =1 and {k(i)}f =1 distribute uniformly, 
one can get Probif) = (l/256) L_1_r . So, one can as- 
sure that {k(i)}^, {ti(i)}f =l and {t 2 (i)}^ =l can be de- 
termined in a very extremely high probability when 
the variable i in Step 3) can reach to L - 5. Once 
^i(l), fi(L), ^(1), t2(L), k(l) are determined, the remain- 
ing values of k(L) can be further confirmed with condi- 
tion ([15} or condition (16). In addition, Eq. ([5} can be 
used for verification also. Now, one can conclude that 
{k(i))^=i can be determined in an extremely high prob- 
ability when L > 5. The computational complexity of 
this attack is 0(256 • 128 • 5 • (3 • 2 + 7)) = <9(2 21 ), which 
is smaller than that of Fatih et al. 's attack very much. 

To verify the above analysis, some experiments were 
made. Beside the pair of known plain-image and 
the corresponding cipher-image shown in Fig. [2j an- 
other plain-image "Babarra" and the encrypted version, 
shown in Figs. [3^), b), respectively, are used. Then, 
the obtained equivalent secret key is used to decrypt the 
cipher-image shown in Fig. |2j:) and the recovery result 
is shown in Fig. [3]:), which is identical with the original 
version. 

3.4. Two other security defects 

In this subsection, two other security defects of the 
image encryption scheme under study are discussed. 

• Low sensitivity with respect to changes of secret 
key 

In [Q21 Sec. 3.3.1], it was concluded that the im- 
age encryption scheme under study is sensitive to 
changes of secret key from experiment results on 



a) 




c) 

Figure 3: The known-plaintext attack II: a) the second known plain- 
image "Babarra"; b) the cipher-image of plain-image "Babarra"; c) 
decryption result of Fig.[2j0. 

some selected secret keys. However, this conclu- 
sion is groundless. From Proposition [2] one has 

' c(i) = P {\) e (t(L) + k(i)) e (c(0) + k(i)) 
= P (i) e (t(L) + (k(i) e 128)) e (c(0)+ 
(£(i)ei28)) 

and 

{ C (i) = P (i) e (t(i - l) + k(i)) e (c(i - l) + it®), 
= p(i) e (t(i - l) + (k(i) e 128)) e (c(i - 1)4- 
(*(0 e 128)), 

for i = 2 ~ L, which means that K' = {k\i)}^ =l 
is equivalent to K = {k(i)}^ =1 with respect to 
encryption/decryption procedure, where k'(i) e 
{k(i),k(i) 128}. So, there are at least 2 L equiv- 
alent secret keys for each secret key of the im- 
age encryption scheme under study. This serious 
defect also exists in some other image encryption 
schemes lfT6l . 

• Low sensitivity with respect to change of plain- 
image 

As well known in the field of cryptology, sensi- 
tivity of encryption results with respect to changes 
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of plaintext is an important property measuring a 
secure encryption scheme. This property is es- 
pecially important for secure image encryption 
schemes due to the following reasons: (1) strong 
redundancy exist among neighboring pixels of an 
uncompressed plain-image; (2) a plain-image and 
its watermarked versions, which generally modify 
the original image slightly, are often encrypted at 
the same time. In (T21 Sec. 3.3.2], it is claimed 
that the proposed encryption scheme is very sensi- 
tive with respect to changes of plain-image. How- 
ever, the claim is questionable due to the following 
points: (1) there is no any nonlinear operation, like 
S-box, is involved in the whole encryption scheme; 
2) there is no any operation generating carry bit to- 
ward lower level in the whole scheme, so a bit of 
plain-image can only influence the bits in higher 
bit planes of the corresponding cipher-image. 

Proposition 2. Assume a and J3 are n-bit non-negative 
integers, then 

Proof: First, a © 2 n ~ l = a + 2 n ~ l can be proofed under 
the following two cases: (1) when a > 2 n ~ l , one has 
a®2 n ~ l =a-2 n ~ l =a + 2 n ~ l ; (2) when a < 2 w_1 ,one 
hasae2"" 1 =a + 2 n ~ l =a + 2 n ~ l . So, (a®2 n - l )+j3 = 
(a+fl) + 2 n ~ l = (a + £) © 2 n ~\ ■ 

4. Conclusion 

This paper re-studied security of a novel image en- 
cryption scheme in detail. It is found that the encryp- 
tion scheme can be effectively broken with only two 
known plain-images. Both mathematical proofs and ex- 
perimental results are presented to support the proposed 
attack. In addition, some other security defects of the 
encryption scheme are shown also. 
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